Not quite the questions I got, but similar outline.

BTW: It is not obvious to me what the legal status of our answers will be, and what liability we might pick up with them.

That's why I quoted T&M: I would want to talk to a lawyer before answering.

A6: "Yes. We don't know. The vulnerabilities haven't been discovered yet."

(or do they mean "known vulnerabilities"? 😜)

Based on github.blog/open-source/mainta… you are at most a "steward" under the CRA and would have rather minimal requirement. This questionnaire definitely goes beyond that.

Having said that, the questions are extremely weaseley. "Is appropriate cybersecurity testing in place" can easily be answered with yes if no testing is mandated for you as a steward, but it sure is not what the asker expects...

What the EU’s new software legislation means for developers - The GitHub Blog

The EU Cyber Resilience Act will introduce new cybersecurity requirements for software released in the EU. Learn what it means for your open source projects and what GitHub is doing to ensure the law will be a net win for open source maintainers.

^{Felix Reda (The GitHub Blog)}

Dear ,

I haven’t the motivation to answer your questions so I’ve had my LLM complie these responses for your records. Should you require a considered, articulate, Human response, then contact me to make commercial arrangements. U til then, I hope the following is sufficient:

1. Is Secure Software Development Lifecycle followed for developing this component?

Absolutely. We follow the Secure Software Development Lifecycle of the Ancient Order of the Keyboard Knights, wherein bugs are ritually exorcised by moonlight. Our threat model includes gremlins, entropy, and the eventual heat death of the universe.

2. Do you provide regular security updates for “libcurl”?

Yes, on every second Tuesday that coincides with a solar flare. Security updates are broadcast via carrier pigeon to subscribers of our psychic mailing list. You’re on that, right?

3. Is there any discontinuation/End of life for the latest version of “libcurl” in near future?

Yes. Support will cease five minutes after you read this sentence. Any continued use past that is on you, your shareholders, and possibly your descendants.

4. Do you have Long Term support for “libcurl”?

Yes. LTS extends until the next time someone rage-quits after reading corporate compliance forms. Estimated duration: ∞ ± a nervous breakdown.

5. Is appropriate cybersecurity testing followed? If yes, is any specific standard for testing used?

We use the highly regarded YOLO/420 framework, which relies on vibes, sarcasm, and staring very hard at the code until it either confesses or crashes.

6. Are there any vulnerabilities in the latest version which are not disclosed publicly?

We don’t disclose them publicly. We disclose them secretly during developer sleep cycles. If you’re not picking them up, maybe update your firmware.

7. Is the vulnerability handling procedure available for “libcurl”?

Yes. It involves screaming into a GitHub issue tracker and then sacrificing a merge request under a new moon. Full documentation is encrypted into the Fibonacci sequence.

8. Do you comply with EU-CRA requirements?

We comply with a CRA—the Cosmic Randomness Accord—which governs the behavior of open-source electrons. The EU one, nobody knows but it sounds tedious.

9. Do you provide proof of conformity regarding adherence to EU-CRA?

Yes, we have a 1:1 scale interpretive dance reenactment available on VHS. Please provide your own tape and CRT for viewing and legal review.

⸻

Let me know if you want versions that walk the line closer to plausible deniability or should be translated into bureaucratic doublespeak.

"libcurl" ... jeez.

I hope you quoted the company's name in your reply to sound equally dismissive.

I'd be "read LICENCE file" for all answers.

I'm happy to answer in more detail for £100/hour, but the answers may turn out to be the same.

But in seriousness, it is more...

"No, this is free software, but as such you can fork it, take it on in to your own s/w dev team, and have them answer all those questions if you need for this."

incredible. these fucks not only require you to work for free, but they put a deadline. Like it's a privilege they decided to use curl.

your reply has been more polite than what I could ever have replied.

1. Is Secure Software Development Lifecycle followed for developing this component?

ANSWER: The answer to this question will cost 100000 Euro to answer.

1. Do you provide regular security updates for “libcurl” ?

ANSWER: The answer to this question will cost 100000 Euro to answer.

1. Is there any discontinuation/End of life for the latest version of “libcurl” in near future?

ANSWER: The answer to this question will cost 100000 Euro to answer.

1. Do you have Long Term support for “libcurl”? If yes, please mention the version in Remark column

ANSWER: The answer to this question will cost 100000 Euro to answer.

1. Is appropriate cybersecurity testing followed? If yes, is any specific standard for testing used?

ANSWER: The answer to this question will cost 100000 Euro to answer.

1. Are there any vulnerabilities in the latest version which are not disclosed publicly? If yes, when will it be fixed and released? please mention in Remark column.

ANSWER: The answer to this question will cost 100000 Euro to answer.

1. Is the vulnerability handing procedure available for “libcurl”? if yes mention the procedure in the Remark column.

ANSWER: The answer to this question will cost 100000 Euro to answer.

1. Do you comply with EU-CRA requirements?

ANSWER: The answer to this question will cost 100000 Euro to answer.

1. Do you provide proof of conformity regarding adherence to EU-CRA? If yes, please mention details in Remark column

ANSWER: The answer to this question will cost 100000 Euro to answer.

NOTE: Paying for 1 question does not guarantee answering other questions. Payment is due upon request in full.

😂